Click here to Skip to main content
15,892,927 members
Search within:


Articles / Web Development / ASP.NET
 
Technical Blog
View Original

Authentication, Authorization and OWIN - Who Moved My Cheese?

Rate me:
Please Sign up or sign in to vote.
4.33/5 (3 votes)
6 Oct 2014Ms-PL3 min read 22.9K   5   4
With the introduction of OWIN-based security and Identity management in ASP.NET 4.5, the configuration of authentication and authorization have changed a bit for web forms developers.  In this article, I review where configuration has been turned off and where they have relocated to.

My secret identity... The Stig!

My secret identity... The Stig!

I was working with one of my ASP.NET projects this weekend and ran into an interesting problem while I was debugging. This application was written from the ground up to use ASP.NET identity and OAuth security for all of my authentication and authorization needs. That also means that my application follows the new default layout for an ASP.NET web forms application, with account management and login capabilities reside in the /Account folder structure.

An interesting series of things happens to web.config when we adapt the OAuth security management in ASP.NET 4.5+. What follows is what I have learned the hard way...

Authentication Information in Web.Config Disappears

If you're a long time developer with ASP.NET like me, you're accustomed to the FormsAuthentication configuration in web.config. With the new authentication and identity modules in ASP.NET 4.5, all of this goes away. This really tweaked me at first, I got confused and followed the code... and trust me, it's all good.

Web.Config has its authentication turned off and all identity providers removed. Check out this snippet from a fresh web.config in a new ASP.NET 4.5 application:

XML
<system.web>
   <authentication mode="None" />
   <!-- other stuff -->
   <membership>
     <providers>
       <clear />
     </providers>
   </membership>
   <profile>
     <providers>
       <clear />
     </providers>
   </profile>
   <roleManager>
     <providers>
       <clear />
     </providers>
   </roleManager>
   <!-- other stuff -->
   </system.web>
 <system.webServer>
   <modules>
     <remove name="FormsAuthentication" />
   </modules>
 </system.webServer>

That's some scary stuff right there. Everything that I've known since ASP.NET was released in 2002 screams out: NOOOOOooooooo! This is the necessary configuration to turn off all of the embedded and automatically activated security modules in ASP.NET. With that functionality shut off, the OAuth security module can step in.

OAuth Security Configuration

Instead, all of the security configuration goodness is kicked off in a new OWIN-compliant manner from within Startup.cs on the root of the application.

C#
[assembly: OwinStartup(typeof(MyApplication.Startup))]

namespace MyApplication
{
  public partial class Startup
  {
    public void Configuration(IAppBuilder app)
    {
      ConfigureAuth(app);
      app.MapSignalR();
    }
  }
}

Check out that attribute at the top of the file, an OwinStartupAttribute that points to this class that contains the codified configuration of the application. The class is required to have a Configuration method with the same signature in this snippet. I'm not clear why the class does not adhere to an interface that enforces the presence of this method, but this is the requirement. You can see from here that it calls the ConfigureAuth method in the App_Start/Startup.Auth.cs file. It's in there that we can find all of the configuration for managing the authentication of resources in the application.

C#
public void ConfigureAuth(IAppBuilder app)
{
 
  // Stuff to configure the Identity data storage
  
  // Enable the application to use a cookie to store information for the signed in user
  // Configure the sign in cookie
  app.UseCookieAuthentication(new CookieAuthenticationOptions
  {
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login")
      // other stuff
  });
  
  // more stuff down here
}

This is where I was thrown for a loop. How does ASP.NET know where my login page is? It's defined right here with the LoginPage configuration property inside of the CookieAuthenticationOptions class.

How is Authorization Handled?

Finally, how is authorization to pages handled? In the past, I would write blocks of XML with authorization elements that looked similar to the following:

XML
<location path="Admin">
  <system.web>
    <authorization>
      <deny users="?" />
      <allow roles="Admin" />
    </authorization>
  </system.web>
</location>

The good news is that none of that has changed, and we can continue to code high-level authorization rules inside of web.config files in ASP.NET 4.5.

Summary

It's not a good idea to tinker with the default security configuration of ASP.NET unless you know where all of the moving pieces are. In the past, I knew where everything was referencing from web.config through global.asax.cs to verify connections to my application where authenticated and authorized. In the new Owin enabled ASP.NET, those pieces have moved and are now very descriptive in their new locations. Coming soon, I have a Pluralsight course that will discuss all of the cool things that you can do to configure ASP.NET OWIN security and other Advanced topics. I look forward to delivering it for you in the very near future.

This article was originally posted at http://feeds.feedburner.com/CsharpOnTheFritz

License

This article, along with any associated source code and files, is licensed under The Microsoft Public License (Ms-PL)


Written By
Jeffrey T. Fritz
Program Manager
United States United States
Jeff Fritz is a senior program manager in Microsoft’s Developer Division working on the .NET Community Team. As a long time web developer and application architect with experience in large and small applications across a variety of verticals, he knows how to build for performance and practicality. Four days a week, you can catch Jeff hosting a live video stream called 'Fritz and Friends' at twitch.tv/csharpfritz. You can also learn from Jeff on WintellectNow and Pluralsight, follow him on twitter @csharpfritz, and read his blog at jeffreyfritz.com

Comments and Discussions

 
First Prev Next
QuestionAuthorization still works? Pin
laksh4u25-Feb-16 7:55
laksh4u25-Feb-16 7:55 
Questionauthorization Pin
Ashraf Sabry16-Mar-15 2:21
Ashraf Sabry16-Mar-15 2:21 
GeneralThank you. Pin
Member 1136537327-Jan-15 3:20
Member 1136537327-Jan-15 3:20 
GeneralThanks! Pin
Neil Diffenbaugh7-Oct-14 8:50
Neil Diffenbaugh7-Oct-14 8:50 
Last Visit: 31-Dec-99 18:00     Last Update: 6-May-24 21:25Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 6 Oct 2014

Article Copyright 2014 by Jeffrey T. Fritz
Everything else Copyright © CodeProject, 1999-2024

Web03 2.8:2024-04-02:1